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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 
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Applicant(s): V.N. Kumar et al. 

Case: 5-5 

Serial No.: 10/723,150 

Filing Date: November 26, 2003 

Group: 2134 

Examiner: Christopher J. Brown 

Title: Access Control List Constructed as a Tree of Matching Tables 



APPEAL BRIEF 

Commissioner for Patents 

P.O. Box 1450 

Alexandria, VA 22313-1450 

Sir: 

Applicants (hereinafter "Appellants") hereby appeal the final rejection dated December 4, 
2007 of claims 1-20 of the above-identified application. 

REAL PARTY IN INTEREST 

The present application is assigned of record to Agere Systems Inc. On April 2, 2007, 
the assignee Agere Systems Inc. completed a merger with LSI Logic Corporation, with the 
resulting entity being named LSI Corporation. LSI Corporation is the real party in interest. 

RELATED APPEALS AND INTERFERENCES 
There are no known related appeals or interferences. 
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STATUS OF CLAIMS 
The present application was filed on November 26, 2003, with claims 1-20, all of which 
remain pending. Claims 1,15 and 20 are the independent claims. 

Each of claims 1-20 stands rejected under 35 U.S.C. §103(a). Claims 1-20 are appealed. 

STATUS OF AMENDMENTS 
There have been no amendments filed subsequent to the final rejection. 

SUMMARY OF CLAIMED SUBJECT MATTER 
Independent claim 1 is directed to a method of generating a representation of an access 
control list. The method includes the steps of determining a plurality of rules of the access 
control list, with each of at least a subset of the rules having a plurality of fields and a 
corresponding action, and processing the rules to generate a multi-level tree representation of the 
access control list, with each of one or more of the levels of the tree representation being 
associated with a corresponding one of the fields. The claim further recites that at least one level 
of the tree representation other than a root level of the tree representation comprises a plurality of 
nodes, with at least two of the nodes at that level each having a separate matching table 
associated therewith. 

In an illustrative embodiment, described in conjunction with FIG. 3 of the drawings, a 
tree representation 300 of an access control list includes three levels, denoted Level 1, Level 2 
and Level 3, with Level 1 being the root level and Level 3 being the leaf level. Levels 1 and 2 
are associated with source address and destination address fields, respectively, of the rules of the 
access control list. Each of a plurality of nodes associated with Level 2 of the tree representation 
300 includes a separate matching table, with the separate matching tables associated with the 
respective nodes of Level 2 being denoted 310-1, 310-2, . . . 310-7. See the specification at, for 
example, page 11, line 18, to page 12, line 25. 

Independent claim 15 is directed to an apparatus configured for performing one or more 
processing operations utiUzing a representation of an access control list. The apparatus 
comprises a processor having memory circuitry associated therewith, with the memory circuitry 
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being configured for storing at least a portion of a multi-level tree representation of the access 
control list, where each of one or more of the levels of the tree representation is associated with a 
corresponding one of the fields. At least one level of the tree representation other than a root 
level of the tree representation comprises a plurality of nodes, with at least two of the nodes at 
that level each having a separate matching table associated therewith. The processor is operative 
to utilize the stored tree representation to perform an access control list based function. 

In an illustrative embodiment, as shown in FIG. 1 of the drawings, the recited processor 
comprises network processor 102, and the associated memory circuitry comprises internal 
memory 104, extemal memory 106, or a combination of both. The tree representation 300 
shown in FIG. 3 is utilized by packet filter 114 of network processor 102 to perform packet 
filtering operations. See the specification at page 7, lines 1-6. 

Independent claim 20 is directed to an article of manufacture comprising a machine- 
readable storage medium having program code stored thereon, the program code generating a 
representation of an access control list, with the representation being utilizable in a processor. 
The program code when executed implements the method steps set forth in claim 1. 

In an illustrative embodiment, program code for generating a representation of an access 
control list is stored in the host processor 112 of FIG. 1. This program code is utilized to 
generate a multi-level tree representation, such as tree representation 300 of FIG. 3, that is 
downloaded to memory circuitry 104, 106 associated with the network processor 102. The 
representation is utilized by the network processor 102 to perform packet filtering operations. 
See the specification at page 7, lines 1-19. 

The claimed invention provides a number of significant advantages over conventional 
techniques. For example, the recited arrangements provide substantially performance 
improvements relative to the per-field LPM approach, which requires the use of a separate 
matching table for each field of an ACL rule set. See the specification at page 8, line 6, to page 
9, line 24, and page 1 1, lines 10-17. 
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GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

1. Claims 1, 3-9, 11, 12, 15, 17 and 20 are rejected under 35 U.S.C. §103(a) as being 
unpatentable over U.S. Patent Application Publication No. 2002/0085560 (hereinafter "Cathey") 
in view of U.S. Patent Application Publication No. 2003/0188198 (hereinafter "Holdsworth"). 

2. Claim 2 is rejected under 35 U.S.C. § 103(a) as being unpatentable over Cathey and 
Holdsworth in view of U.S. Patent Application Publication No. 2003/0005146 (hereinafter 
"Miller"). 

3. Claims 10, 13, 14, 16, 18 and 19 are rejected under 35 U.S.C. §103(a) as being 
unpatentable over Cathey and Holdsworth in view of U.S. Patent No. 6,651,096 (hereinafter 
"Gai"). 

ARGUMENT 

1. §103(a) Rejection of Claims 1. 3-9, IL 12. 15, 17 and 20 
Claims L 3-5, 8, 1 L 12, 15. 17 and 20 

In order to establish a proper prima facie case of obviousness under 35 U.S.C. § 103(a), 
the Examiner must establish that the differences between the subject matter sought to be patented 
and the prior art are such that the subject matter as a whole would have been obvious at the time 
the invention was made to a person having ordinary skill in the art to which the subject matter 
pertains. 

Appellants submit that the Examiner has failed to establish a proper prima facie case of 
obviousness for the present § 103(a) rejections, in that even if the references are assumed to be 
combinable, the combination of Cathey and Holdsworth fails to meet all the claim limitations, 
and in that no cogent motivation has been identified for combining the references or for 
modifying the reference teachings to reach the claimed invention. Further, even if it is assumed 
that a proper prima facie case has been established, there are particular teachings in one or more 
of the references which controvert the obviousness argument put forth by the Examiner. 

As noted above, independent claim 1 is directed to a method of generating a 
representation of an access control list. The method includes the steps of determining a plurality 
of rules of the access control list, with each of at least a subset of the rules having a plurality of 
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fields and a corresponding action, and processing the rules to generate a multi-level tree 
representation of the access control Hst, with each of one or more of the levels of the tree 
representation being associated with a corresponding one of the fields. The claim further recites 
that at least one level of the tree representation other than a root level of the tree representation 
comprises a plurality of nodes, with at least two of the nodes at that level each having a separate 
matching table associated therewith . 

Thus, in the claimed arrangement, a given non-root level of a tree representation of an 
access control hst comprises two or more nodes that have separate matching tables. An 
illustrative embodiment of an arrangement of this type can be seen in FIG. 3 of the drawings, 
where each of a plurality of nodes associated with Level 2 of the tree representation 300 includes 
a separate matching table, with the separate matching tables being denoted 310-1, 310-2, . . . 
310-7. Level 1 of this tree representation is the root level. Exemplary advantages of this 
approach relative to the conventional per-field LPM approach, which requires the use of a 
separate matching table for each field of an ACL rule set, are described in the specification at 
page 8, line 6, to page 9, line 24, and page 11, lines 10-17. 

The Examiner in formulating the §103 (a) rejection argues that each and every limitation 
of claim 1 is met by the collective teachings of Cathey and Holdsworth. Appellants respectfully 
disagree. The collective teachings of these references fail to meet at least the above-noted 
limitations of claim 1 relating to generating a multi-level tree representation of an access control 
list, with each of one or more of the levels of the tree representation being associated with a 
corresponding one of the fields, and with at least one level of the tree representation other than a 
root level of the tree representation comprising a plurality of nodes, with at least two of the nodes 
at that level each having a separate matching table associated therewith. The Examiner 
acknowledges with reference to the decision tree shown in FIG. 5B of Cathey that such an 
arrangement does not teach or suggest multiple nodes at a given non-root level having separate 
matching tables as recited. See the final Office Action at page 4, first paragraph. This is further 
apparent from the teachings in paragraph [0064] of Cathey, which indicate that each of the leaves 
is coupled to the root "via a unique set of linked branches." 
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Nonetheless, the Examiner argues that the missing teachings are shown in paragraph 
[0048] of Holdsworth. See the final Office Action at page 4, second paragraph. However, 
Appellants note that the relied-upon portion of Holdsworth does not teach or suggest generation 
of a multi-level tree representation of an ACL, but to the contrary discloses that each message 
topic in a tree where each node corresponds to a different topic can have an associated ACL that 
determines who is able to publish or subscribe on that topic. Thus, Holdsworth does not teach 
the recited generation of a multi-level tree representation of an ACL, but instead the use of a 
separate ACL for each node of a tree of message topics . As the Examiner has acknowledged, the 
decision tree shown in FIG. 5B of Cathey does not teach a multi-level tree representation in 
which two or more nodes at a given level of the tree each have separate matching tables 
associated therewith. 

The Examiner at page 2, fourth paragraph, of the final Office Action fiirther indicates that 
the Holdsworth reference "is merely relied upon to show separate matching ACL tables." 
However, this is not what the relied-upon portion of Holdsworth shows. To the contrary, and as 
indicated above, paragraph [0048] of Holdsworth relates to an arrangement, such as tree 
structure 10 as shown in FIG. 2 of Holdsworth, where the nodes correspond to topics, and where 
each such topic has at least one associated ACL that determines who is able to publish or 
subscribe on that topic. The claimed invention, as set forth in claim 1, is directed to a method of 
generating a multi-level tree representation of an ACL . This is fundamentally distinct from the 
relied-upon Holdsworth arrangement in which a tree structure of topic nodes has one or more 
ACLs associated with each node. To put it in more simple terms, the claimed invention relates 
to a tree representation of a given ACL, while the Holdsworth arrangement relates to a tree 
structure that includes topic nodes each of which is associated with a different one of a plurality 
of ACLs. The tree structure in Holdsworth is clearly not a tree representation of an ACL , and 
accordingly is not directly relevant to a claim that is directed to a method of generating a tree 
representation of an ACL. 

It was mentioned previously that the decision tree shown in FIG. 5B of Cathey does not 
meet the claim limitation regarding at least one level of the tree representation other than a root 
level having a plurality of nodes with at least two of the nodes at that level each having a 
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separate matching table associated therewith. The Holdsworth arrangement fails to supplement 
this deficiency of Cathey, as it too fails to teach or suggest a tree representation of an ACL in 
which at least one level of the tree representation other than a root level has a plurality of nodes 
with at least two of the nodes at that level each having a separate matching table associated 
therewith. Holdsworth instead discloses a tree structure of topics with each topic having at least 
one separate ACL. See, for example, the Holdsworth tree structure as shown in FIG. 4, where 
the ACLs associated with each topic are "displayed by activating the ACL button 134 at a node 
of interest," as described in paragraph [0102]. Thus, Holdsworth provides no teaching 
whatsoever regarding how to generate a multi-level tree representation of an ACL. In fact, it has 
nothing at all to do with generating a representation of an ACL, and does not attempt to use its 
tree structure to represent an ACL. Again, what Holdsworth shows is a tree structure where each 
node has one or more ACLs associated therewith. 

In an Advisory Action dated March 27, 2008, at page 2, the Examiner further argues that 
"Cathey does teach separate matching tables, as well as Holdsworth.'' Appellants respectfully 
disagree. It is initially noted that this statement is inconsistent with the statement of the 
Examiner at page 4, first paragraph, of the final Office Action, which indicates that "Cathey fails 
to . . . explicitly state separate matching tables." The decision tree in FIG. 5B of Cathey is not 
described therein as including separate matching tables at respective ones of the Header Check 2 
nodes 352a and 352b. To the contrary, as there are only two possible outcomes of each of the 
nodes 352a and 352b, it would appear that there is no need for a matching table at those nodes. 
See Cathey at paragraph [0064]. 

Accordingly, the collective teachings of Cathey and Holdsworth fail to meet the 
limitations of claim 1 . 

The Examiner further argues that it would be obvious to use the ACL of Holdsworth in 
the programmable packet processor of Cathey. However, as noted above, Holdsworth teaches to 
associate a separate ACL with each node of a tree of message topics. Such an arrangement 
appears to be incompatible with the packet processing approach of Cathey, and accordingly one 
skilled in the art would not be motivated to apply the Holdsworth teachings to Cathey. For 
example, in applying Holdsworth to Cathey, would one associate a separate ACL with each of 
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the nodes of the decision tree of FIG. 5B? This would appear to unnecessarily complicate the 
Cathey decision tree arrangement, in that the entire decision tree in FIG. 5B of Cathey is a single 
ACL . See Cathey at paragraph [0061]. Moreover, the Cathey reference at paragraph [0064] 
noted above teaches that each of the leaves of the FIG. 5B decision tree is coupled to the root 
"via a unique set of linked branches," which is believed to be a direct teaching away from the 
recited use of separate matching tables for at least two different nodes at the same non-root level 
of a tree representation. 

The Examiner argues that the statement in Cathey to the effect that each of the leaves of 
the FIG. 5B decision tree is coupled to the root "via a unique set of linked branches" does not 
teach away from the claimed use of separate matching tables at two nodes of a non-root level of 
a tree representation of an ACL. See the final Office Action at page 2, second to last paragraph. 
However, one can see with reference to FIG. 5B that the implication of the statement in Cathey 
is that there is only a single branching that occurs at each node, and hence none of the nodes 
have separate matching tables. This is in contrast to, for example, the above-noted illustrative 
embodiment shown in FIG. 3 of the present appUcation, where each Level 2 node 304 of the tree 
representation 300 comprises a separate matching table 310. 

The Examiner in the final Office Action at page 4, third paragraph, indicates that it would 
have been obvious to combine Cathey and Holdsworth because to do so would "allow[s] security 
and access control to be performed to enhance network security." Appellants respectfully submit 
that this statement fails to provide sufficient motivation for combination of Cathey with 
Holdsworth. The decision tree of FIG. 5B in Cathey alone can clearly by used to provide access 
control and network security. See Cathey at, for example, step 376 of FIG. 6 and element 414 of 
FIG. 7. Accordingly, the proffered statement provides no motivation whatsoever for one skilled 
in the art to look to Holdsworth, which describes a topic tree in which each topic node has an 
associated ACL. 

The statement of motivation provided by the Examiner therefore appears to be a 
conclusory statement of the sort rejected by both the Federal Circuit and the U.S. Supreme Court. 
See KSR v. Teleflex . 127 S.Ct. 1727, 1741, 82 USPQ2d 1385, 1396 (U.S., Apr. 30, 2007), 
quoting In re Kahn. 441 F. 3d 977, 988 (Fed. Cir. 2006) ("[R]ejections on obviousness grounds 
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cannot be sustained by mere conclusory statements; instead, there must be some articulated 
reasoning with some rational underpinning to support the legal conclusion of obviousness."). 
There has been no showing in the present § 103(a) rejection of claim 1 of objective evidence of 
record that would motivate one skilled in the art to combine Cathey and Holdsworth to produce 
the particular limitations in question. Rather, the above-quoted statement of motivation provided 
by the Examiner appears to be a conclusory statement of the type ruled insufficient in the KSR 
case. In order to avoid the improper use of a hindsight-based obviousness analysis, particular 
findings must be made as to why one skilled in the relevant art, having no knowledge of the 
claimed invention, would have combined the teachings of Cathey and Holdsworth in the claimed 
manner. See, e.g., In re Kotzab, 217 F.3d 1365, 1371, 55 USPQ2d 1313, 1317 (Fed. Cir. 2000). 
The Examiner has failed to meet that burden here. 

Appellants further submit that the proposed combination entirely fails to provide the 
previously-described significant benefits attributable to the claimed arrangements. See the 
specification at, for example, page 8, line 6, to page 9, line 24, and page 11, lines 10-17. 
Accordingly, one skilled in the art would not appreciate that such benefits would result from the 
proposed combination, and would therefore not be motivated to combine or modify the teachings 
of the Cathey and Holdsworth references. 

Moreover, as mentioned previously, there are teachings in the cited references that appear 
to indicate that the references should not be combined in the proposed manner. For example, as 
noted above, since there are only two possible outcomes of each of the nodes 352a and 352b in 
the decision tree in FIG. 5B of Cathey, it would appear that there is no need for a matching table 
at those nodes. In addition, Holdsworth teaches that each node of a tree structure has an 
associated ACL, while the decision tree in FIG. 5B of Cathey is representative of a single ACL. 
Accordingly, there would appear to be no need for the Holdsworth approach in the packet 
classification application of Cathey. 

It is therefore believed that independent claim 1 is not obvious in view of the proposed 
combination of cited references. 

Independent claims 15 and 20 are beheved allowable for reasons similar to those 
identified above with regard to independent claim 1. 
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Dependent claims 3-5, 8, 11, 12 and 17 are believed allowable for at least the reasons 
identified above with regard to their respective independent claims. 

Claim 6 

Dependent claim 6 further recites that a second level of the tree representation includes a 
plurality of nodes, each being associated with a subtree of a given one of the distinct source 
addresses of the root level of the tree. The Examiner argues that this limitation is met by the 
teachings in FIG. 5B and paragraph [0063] of Cathey. See the final Office Action at page 4, last 
paragraph. However, the decision tree in FIG. 5B of Cathey does not appear to be configured in 
the particular manner recited in the claim. For example, the second level of the FIG. 5B decision 
tree, denoted as Header Check 2, is not disclosed as having nodes that are each associated with a 
subtree of a given one of a number of distinct source addresses of the root level of the tree. An 
example of the latter type of arrangement is shown in FIG. 3 of the present specification, where 
each of a number of the Level 2 nodes of the tree representation 300 is associated with a subtree 
of a distinct source address at the root level of the representation. This type of arrangement is 
not met by FIG. 5B of Cathey, and accordingly the collective teachings of Cathey and 
Holdsworth fail to render this claim obvious. 

Claim 7 

Dependent claim 7 further recites that a given one of the second level subtrees identifies 
one or more destination addresses to be examined if the corresponding root level source address 
matches a source address of a given received packet. The Examiner again relies on FIG. 5B and 
paragraph [0063] of Cathey, stating that Header Check 2 may "include a destination address." 
However, the limitation in question calls for a given subtree to identify one or more destination 
addresses to be examined. An example can again be seen in the tree representation 300 of FIG. 3 
of the present specification, where a given node of Level 2, such as node 310-1, has an 
associated subtree identifying a number of different destination addresses. See the specification 
at page 12, lines 12-18. Cathey fails to teach or suggest such an arrangement, and the 
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Holdsworth reference does not overcome this fundamental deficiency of Cathey as applied to 
claim 7. 

Claim 9 

Dependent claim 9 fixrther recites that the tree representation is generated by associating a 
first node at the root level with a given value in a first field of one of the plurality of rules, and 
then processing remaining field values sequentially, with each value in turn being compared to 
one or more existing values at the appropriate node(s) of the tree representation to determine if a 
match exists, and associating that value with a matching table at one of the nodes of the tree 
representation based at least in part on the determination. These limitations relate to generating a 
tree representation of an ACL. The Examiner argues that the limitations are met by FIG. 5B and 
paragraphs [0063], [0067] and [0078] of Cathey. See the final Office Action at page 5, third 
paragraph. However, these portions of Cathey do not describe how the decision tree of FIG. 5B 
is generated . To the contrary, these portions simply describe how the FIG. 5B decision tree is 
used. There is no mention whatsoever regarding how to generate the FIG. 5B decision tree, 
much less any mention of generating such a tree using sequential processing of field values and 
matching table association as in the claim at issue. Accordingly, the collective teachings of 
Cathey and Holdsworth fail to meet the limitations of claim 9. 

2. § 103(a) Rejection of Claim 2 

Dependent claim 2 further recites that the separate matching tables associated with 
respective ones of at least two different nodes of the non-root level of the tree comprise longest 
prefix matching (LPM) tables. The Examiner argues that the limitation is met by the reference to 
longest prefix match operations referred to in paragraph [0031] of Miller. However, as indicated 
previously herein, Cathey and Holdsworth collectively fail to teach or suggest an arrangement in 
which at least two of the nodes at a non-root level of a tree representation each have a separate 
matching table associated therewith. Moreover, each node of the decision tree in FIG. 5B of 
Cathey, relied upon by the Examiner, appears to be configured so as require only a single 
decision operation, which would suggest that a matching table is not needed or desirable. The 
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Holdsworth and Miller references fail to remedy this fundamental deficiency of Cathey as 
applied to dependent claim 2. As Appellants have indicated in their specification at, for 
example, page 8, line 1, to page 9, line 7, a conventional per-field LPM approach has a separate 
LPM table associated with each field of an ACL rule set. The arrangement recited in claim 2, by 
way of contrast, associates separate LPM tables with respective nodes of a single non-root level 
of a binary representation of an ACL. Accordingly, it is believed that the cited references fail to 
teach or suggest an arrangement in which at least two non-root level nodes have respective LPM 
tables associated therewith. 

3. §103(a) Rejection of Claims 10. 13. 14, 16. 18 and 19 
Claim 10 

Dependent claim 10 further recites that for each of at least a subset of the nodes of the 
tree representation having a separate matching table associated therewith, values in the matching 
table are arranged in order of decreasing specificity. These nodes of the tree are indicated in 
claim 1 as being non-root level nodes of the tree . The Examiner relies on the source address 
field in the table shown in FIG. 5A of Gai. See the final Office Action at page 7, last paragraph, 
to page 8, first paragraph. However, in the FIG. 5B decision tree of Cathey, which the Examiner 
has combined with Gai in formulating the rejection, the source address field is apparently a root 
node of the FIG. 5B decision tree. Thus, the fact that "wildcards decrease down the lisf in the 
source address column of FIG. 5 A of Gai fails to meet the limitation in question, as that column 
would apparently relate to a root node of the Cathey decision tree. It is also noted that the 
remaining columns of the FIG. 5A table in Gai are not arranged in the recited maimer. For 
example, the destination addresses in the second column of that table are not arranged in order of 
decreasing specificity. Accordingly, it is believed that the collective teachings of Cathey, 
Holdsworth and Gai fail to meet the particular limitations of claim 10. 

Claims 13. 14. 16. 18 and 19 

Dependent claims 13, 14, 16, 18 and 19 are believed allowable for at least the reasons 
identified above with regard to their respective independent claims. 
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In view of the above, Appellants believe that claims 1-20 are in condition for allowance, 
and respectfully request the withdrawal of the §103(a) rejections. 



Respectfully submitted, 



Date: May 5, 2008 




Attorney for Appellant(s) 
Reg. No. 37,922 
Ryan, Mason & Lewis, LLP 
90 Forest Avenue 
Locust Valley, NY 11560 
(516) 759-7517 
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CLAIMS APPENDIX 

1 . A method of generating a representation of an access control list, the representation 
being utilizable in a processor, the method comprising the steps of: 

determining a plurality of rules of the access control list, each of at least a subset 
of the rules having a plurality of fields and a corresponding action; and 

processing the rules to generate a multi-level tree representation of the access 
control list, each of one or more of the levels of the tree representation being associated with a 
corresponding one of the fields; 

wherein at least one level of the tree representation other than a root level of the 
tree representation comprises a plurality of nodes, with at least two of the nodes at that level each 
having a separate matching table associated therewith. 

2. The method of claim 1 wherein the matching table comprises a longest prefix 
matching (LPM) table. 

3. The method of claim 1 wherein the plurality of fields comprises at least first and 
second fields, the first field comprising a source address field and the second field comprising a 
destination address field. 

4. The method of claim 1 wherein a final level of the tree representation comprises a 
plurality of leaf nodes, each associated with one of the actions of the plurality of rules. 
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5. The method of claim 1 wherein the root level of the tree representation includes a 
plurality of field values, each corresponding to a distinct source address in a first field of the 
plurality of rules. 

6. The method of claim 5 wherein a second level of the tree representation includes a 
plurality of nodes, each being associated with a subtree of a given one of the distinct source 
addresses of the root level of the tree. 

7. The method of claim 6 wherein a given one of the second level subtrees identifies one 

or more destination addresses to be examined if the corresponding root level source address 
matches a source address of a given received packet. 

8. The method of claim 1 wherein a matching table at a given level of the tree 
representation other than a root level of the tree representation comprises at least a portion of a 
subtree identified by a particular field value from an immediately previous level. 

9. The method of claim 1 wherein the tree representation is generated by associating a 
first node at the root level with a given value in a first field of one of the plurality of rules, and 
then processing remaining field values sequentially, with each value in tum being compared to 
one or more existing values at the appropriate node(s) of the tree representation to determine if a 
match exists, and associating that value with a matching table at one of the nodes of the tree 
representation based at least in part on the determination. 
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10. The method of claim 1 wherein at each of at least a subset of the nodes of the tree 
representation having a separate matching table associated therewith, values in the matching 
table are arranged in order of decreasing specificity. 

11. The method of claim 1 wherein the corresponding actions include at least an accept 
action and a deny action. 

12. The method of claim 1 further including the step of storing at least a portion of the 

tree representation in memory circuitry accessible to the processor. 

13. The method of claim 1 further including the step of utilizing the stored tree 
representation to perform an access control list based function in the processor. 

14. The method of claim 13 wherein the access control list based function comprises 
packet filtering. 

15. An apparatus configured for performing one or more processing operations utilizing 
a representation of an access control list, the access control list comprising a plurality of rules, 
each of at least a subset of the rules having a plurality of fields and a corresponding action, the 
apparatus comprising: 

a processor having memory circuitry associated therewith; 
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the memory circuitry being configured for storing at least a portion of a multi- 
level tree representation of the access control list, each of one or more of the levels of the tree 
representation being associated with a corresponding one of the fields; 

the processor being operative to utilize the stored tree representation to perform 
an access control list based function; 

wherein at least one level of the tree representation other than a root level of the 
tree representation comprises a plurality of nodes, with at least two of the nodes at that level each 
having a separate matching table associated therewith. 

16. The apparatus of claim 15 wherein the access control list based function comprises 
packet filtering. 

17. The apparatus of claim 15 wherein the memory circuitry comprises at least one of 
intemal memory and external memory of the processor. 

18. The apparatus of claim 15 wherein the processor comprises a network processor. 

19. The apparatus of claim 15 wherein the processor is configured as an integrated 

circuit. 

20. An article of manufacture comprising a machine-readable storage medium having 
program code stored thereon, the program code generating a representation of an access control 
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list, the representation being utilizable in a processor, wherein the program code when executed 
implements the steps of: 

determining a plurality of rules of the access control list, each of at least a subset 
of the rules having a plurality of fields and a corresponding action; and 

processing the rules to generate a multi-level tree representation of the access 
control list, each of one or more of the levels of the tree representation being associated with a 
corresponding one of the fields; 

wherein at least one level of the tree representation other than a root level of the 
tree representation comprises a plurality of nodes, with at least two of the nodes at that level each 
having a separate matching table associated therewith. 
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RELATED PROCEEDINGS APPENDIX 

None 
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